Time For Tokens?

(Page 2 of 2)

The same process occurs for phone orders except that agents click onto Paymetric-provided payment screens and do the typing. Patil says the entry system is virtually identical to the one previously used and required little agent retraining.

CSN Stores and Sage Software both say integrating tokenization into their systems required in-house customization and development work, but say it was relatively painless insofar as security updates go.

Both say having an existing relationship with a vendor helped pave the way. “We know adopting tokenization now has put us a little ahead of the game,” Malone says. “Part of it was Litle coming out with this offering when we were already thinking about it. It made sense to leverage what we already had with them.” Patil says tokenization took about two months to implement as part of a larger technology update. He says the company converted all stored card data into tokens using a conversion tool over one weekend.

Industry experts warn, however, that other retailers may have a harder time cleaning systems of card data. That’s especially true if a company uses payment card data as business intelligence fodder, such as in customer service, sales and marketing.

Companies also have to rewrite internal business processes to accept tokens in place of card numbers. “Until PCI came to be no one really knew who or why they had access to card data. It’s designing that new system and changing the business process in every division that is hard,” says Julie Fergerson, an e-commerce security expert who is vice president of emerging technologies at Ethoca, a provider of e-payment fraud-detection services, and co-founder of the Merchant Risk Council.

Litan says tokenization can require a big clean-up job for some, but will be less onerous for smaller and newer retailers. “If you are just setting up a web site for the first time or haven’t used the data a lot,” she says, “tokenization can be easy.”